mysql injection damages?

Question

I Just noticed that my mysql_real_escape_string function is not inside a \'\' in some of my php scripts and it was vulnerable to injections and things like

Answer 1

Without any further information, we have to assume the worst case: An attacker is able to read, write, and delete arbitrary data in your database, and possibly even files on your file system, which may lead to compromise of your whole server (e.g. command execution via PHP file, privilege escalation, etc.).

---

Now let’s have a closer look at the possible impact:

Since PHP’s MySQL extension does not allow multiple statements, so called stacked statement attacks are not possible. So the remaining possibilities depend on the actual statement verb and the context, i.e. the clause inside the statement:

• SELECT statement:
  • Reading any accessible data (e.g. sub-queries, unions, boolean-based blind, etc.)
  • Reading files (LOAD_FILE())
  • Writing files (… INTO OUTFILE …)
• UPDATE statement:
  • Obviously updating any accessible data, possibly not just in the current table
  • Reading any accessible data (e.g. sub-queries, boolean-based blind)
• DELETE statement:
  • Obviously deleting any accessible data, possibly not just from the in the current table
  • Reading any accessible data (e.g. sub-queries, boolean-based blind)
• INSERT statement:
  • Obviously inserting arbitrary data
  • Reading any accessible data (e.g. sub-queries)

Some of these may not have a direct impact but may be used to exploit other vulnerabilities. In the end, it depends on the actual vulnerable statement.